Prisoners accessed internet through faulty computer kiosks - inquiry

Prisoners in privately run Mt Eden Corrections Facility were able to access the internet through faulty computer kiosks a security review of public sector computer systems has found.

The security breach was one of 12 "weak points" identified in Government Chief Information Officer Colin McDonald's review of the security of 215 publicly accessible state sector agency IT systems released this morning.

Serco, the company which operates Mt Eden said that on November 26 last year, "an administrative error made it possible to open a web browser session" on kiosks provided to prisoners to allow them to "take responsibility for organising their day-to-day lives and helps to develop literacy and numeracy skills".

Serco's Director of Operations Scott McNairn said the error "allowed for limited access to the internet, policed by a web filter which blocked access to inappropriate sites".

"No email, social media or adult sites were accessed."

The internet access was "limited" and "at no time was it possible to access any other systems or information".

Serco has not said how long prisoners were able to access the internet for.

Mr McNairn said the company had improved security for the kiosks and was "confident" that the likelihood of further problems was "extremely low".

The other issues identified in Mr McDonald's review were at:

# Careers NZ

# Ministry for Culture and Heritage

# Ministry of Education

# EQC

# Commission for Financial Literacy and Retirement Income

# Ministry of Justice

# Maritime NZ

# MidCentral DHB

# Trade and Enterprise

# Ministry of Social Development

# Tertiary Education Commission

"Action has been taken and the systems are now secure", Mr McDonald said.

"There is no evidence any of these weak points lead to a breach of privacy or information security."

Mr McDonald's review was initiated in October last year in response to revelations that private data could be obtained via the Ministry of Social Development's public computer kiosks.

State Services Commissioner Iain Rennie this morning confirmed the report was completed late last year but departments had been working on their response since then.

The issue of public trust in Government agencies' ability to handle private information appropriately was an increasingly important one, Mr Rennie said.

The public was now much more aware of the issue and much less tolerant of misuse of their information.

"We need to raise our game considerably around how we handle people's information."

Mr McDonald said there "will always be a level of risk in this area that must be managed" but the review's key finding was that the management of privacy and information security "is not always meeting best practice and needs to improve".

There was currently too much reliance on work done by IT staff and contractors and not sufficient oversight by senior managers or independent assurance that security standards were being met.

Mr Rennie said "a plan of action" was no underway to address issues identified by the review.

That include the immediate action taken to strengthen security begun when the review was completed in December.

Agencies also had to show by April this year that they had conducted a "detailed risk assessment of their publicly accessible systems".

Agencies will also have to provide security assessments to Mr McDonald by the end of next month and again by the end of March next year, "along with reports about the steps they have taken address privacy and security issues".

"This is an issue about moving the whole system up in terms of the level of performance", Mr Rennie said.

State Services Minister Jonathan Coleman said New Zealanders expected government agencies "will be doing everything they can to ensure the integrity of public sector ICT systems".

"We expect every public service department and agency to comply fully with the agreed plan of action."